Cowboy 2.17 fixes a number of security vulnerabilities and improves the security checklist. The checklist is now included in the Hex package for convenience.
Cowboy 2.17 updates Cowlib to 2.18.0. Both applications must be updated as they both contain security fixes.
Cowboy 2.17 requires Erlang/OTP 24.0 or greater.
max_concurrent_streams to 100.
max_frame_size to 1MB.
invalid_response_headers option to HTTP/2.
invalid_response_headers to responses sent
following an early_error stream handler call.
max_authority_length option.
It limits the length of the authority component,
regardless of where that component is found (request
line in absolute-form, host header, :authority
pseudo-header).
max_keys option to
cowboy_req functions that parse the query string
or form-urlencoded bodies. This new limit is applied
in addition to existing length limits. It defaults
to 100.